Data Processing Addendum

Design Partner Version. This DPA reflects Govalta's current data processing practices for design partner engagements. Enterprise customers requiring a countersigned DPA should contact contact@govalta.com. A negotiated DPA can be provided upon request.

1. Parties and Scope

This Data Processing Addendum (“DPA”) is entered into between Govalta (“Processor”) and the organization accessing the Govalta platform (“Controller”). This DPA supplements and is incorporated into the applicable service agreement between the parties.

This DPA applies to all personal data processed by Govalta on behalf of the Controller in connection with the provision of the Govalta platform and assessment services.

2. Definitions

Personal DataAny information relating to an identified or identifiable natural person processed through the Govalta platform on behalf of the Controller.

ProcessingAny operation performed on Personal Data, including collection, storage, retrieval, consultation, use, disclosure, or erasure.

Data SubjectAny individual whose Personal Data is processed through the Govalta platform.

Sub-processorAny third party engaged by Govalta to process Personal Data on behalf of the Controller. Current sub-processors are listed at /legal/subprocessors.

3. Processing Details

Nature of processingStorage, retrieval, AI-assisted analysis, and display of remediation evidence and validation records

Purpose of processingProviding the Govalta evidence validation and issue remediation platform to the Controller

Duration of processingFor the term of the applicable service agreement, plus any data retention period described in the Data Retention Policy

Categories of data subjectsEmployees, contractors, and authorized users of the Controller who interact with the Govalta platform

Categories of personal dataUser account information (name, work email, role); authentication data; usage logs; content uploaded by users including remediation evidence documents

Special categories of dataNone expected. Controller is responsible for ensuring that no sensitive personal data categories requiring enhanced protection are uploaded without prior agreement.

4. Controller Obligations

The Controller agrees to:

Ensure that any Personal Data uploaded to the Govalta platform is processed lawfully under applicable data protection law
Obtain any necessary consents or authorizations from data subjects prior to uploading their personal data
Ensure that user accounts are provisioned only to authorized individuals and that access is revoked promptly when no longer required
Notify Govalta promptly if the Controller becomes aware of any unauthorized access to or use of Personal Data processed through the platform

5. Processor Obligations

Govalta agrees to:

Process Personal Data only on documented instructions from the Controller, or as required by applicable law
Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
Implement and maintain appropriate technical and organizational security measures as described in the Security and Confidentiality section of the Privacy Policy
Notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data
Assist the Controller in fulfilling data subject rights requests to the extent technically feasible
Not engage sub-processors without the Controller's general authorization, and to provide notice of changes to sub-processors
Delete or return Personal Data at the end of the service relationship as directed by the Controller, subject to the Data Retention Policy

6. Sub-processors

The Controller grants Govalta general authorization to engage sub-processors for the purposes of delivering the platform and assessment services. The current list of sub-processors is available at /legal/subprocessors.

Govalta will provide notice to the Controller prior to adding or replacing any sub-processor. If the Controller objects to a sub-processor change, the Controller may terminate the service agreement by providing written notice within 30 days of the notification.

Govalta ensures that each sub-processor is bound by data protection obligations at least equivalent to those in this DPA.

7. International Data Transfers

Govalta and its sub-processors are located in the United States. Processing of Personal Data may involve transfers to the United States. Govalta relies on applicable transfer mechanisms (including standard contractual clauses where required) to ensure that such transfers are conducted in compliance with applicable data protection law.

Customers with specific data residency requirements should discuss those requirements with Govalta before onboarding.

8. Security Measures

Govalta implements the following technical and organizational measures to protect Personal Data:

Encryption of all data in transit using TLS 1.2 or higher
Encryption of files at rest via Supabase Storage (AES-256)
Role-based access controls within organizational workspaces
Enterprise SSO authentication with session TTL enforcement
Access logging and audit trails for administrative actions
Vendor risk assessments for sub-processors with access to Personal Data

9. Data Deletion

Upon termination of the service relationship, or upon written request, Govalta will delete Personal Data in accordance with the Data Deletion Policy. Govalta may retain Personal Data for a limited period where required by applicable law or for legitimate business purposes (such as fraud prevention or legal compliance), and will inform the Controller of any such retention.

10. Audit Rights

The Controller may request information demonstrating Govalta's compliance with the obligations in this DPA. Govalta will respond to such requests within a reasonable timeframe. On-site audits may be requested with reasonable advance notice and are subject to agreement on scope, timing, and cost.

11. Contact

For questions about this DPA, to request a countersigned version, or to exercise data subject rights, contact:

Govalta
contact@govalta.com